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Why Compliance is Challenging 


CONUN Expansion cr 
Industry & Regulatory 
Standards 


Every standard spans across 
Technical & Procedural Controls 


Making Compliance a bi- 
product of the security 
programs 
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Compliance necessities to Support 
Digital Transformation 


Complete Visibility across Business Units, Technologies, and 
Environments including vendors 


Simplified Compliance workflows, So the focus is on improving 
security rather than running products 


Mapping the security data to the risk/compliance 


Support for emerging technologies with traditional technologies 
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Use Case: ANSSI and GDPR 
Compliance 


Customer: EU Financial institution 
Digital Transformation underway 
Leveraging ANSSI 40 controls for security 
GDPR IT Security Goals 


Goals 
Address ANSSI and GDPR compliance as a bi-product of good 
cybersecurity 
Consolidated cybersecurity dashboard based on the ANSSI objectives 


Reguires 
Security tools consolidation 
Unified compliance dashboards 
Strong out of the box content 
End-End compliance mapping of security data from the tools 
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They started with a Strong Foundation 


Inventory of Assets & Users 
Hygiene Management 
(Patches, Versions...) 
Vulnerability Management 
Configuration Assessment 
Process and Vendor controls 
User rights & Permissions 
Data Security 


Audit areas 


Training 


Relating to 
their roles 
and 
responsibilitie 


s 


Records Requests for 


personal 


Security Data sharing 


management 


Design and 

operation of 

appropriate 
controls 


Managing A 
Sess Technical and 


organisationa 
l measures 


electronic and Procedures 


manual in place 


records 


Agence nationale de la sécurité des systemes d'information (ANSSI), France 


VA VA EV Va EVA EVA DV EVZ EVA EVA EV; 


HM —- Control The Network 

m Upgrade Software 

IV Authenticate The User 

V Securs Computer Terminals 

vi Secure The Inside Of The Network 

VIH Protect The Internal Network From The Internet 

VI Monitor Systems 

IX Secure Network Administration 

2X Control Access To The Premises And Physical Security 
XI Organise Response in The Event Of An Incident 


XI Raise Awareness 
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Gualys Compliance Apps 


Policy Compliance 
/5%+ technical controls require checking 
configurations 


File Integrity Monitoring 


GDPR requires tracking the changes on critical file systems 


Security Assessment Questionnaire 
Modern security programs include assessing vendor controls! 
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Policy Compliance 


[A] Measure Policies and Controls — ANSSI 40 Essential Measures for a Healthy Network 


Continuously Assess the 
breadth of technologies 


Report, Inform & Remediate 


Manage Exceptions 


> I Know The Information Systems And Its Users 


> Il- Control The Network 


> IV Authenticate The User 

> V Secure Computer Terminals 

> VI Secure The Inside Of The Network 

> VII Protect The Internal Network From The Internet 

> VIII Monitor Systems 

> IX Secure Network Administration 

> X Control Access To The Premises And Physical Security 
> XI Organise Response In The Event Of An Incident 

> XII Raise Awareness 


> XIII Carry Out A Security Audit 


Broad Technology & Control Coverage 


Best In-class technology and out of the box content coverage 


19 © © © E» 


EEE j uA. 
debian 
= (0 mmware © . 
MacOS e o elastic 
sal Apache cas F 
$9 kafka 
vmware S = 
SB redis 
Si SYBASE Y 
Hæ BASE MySQL. © ceph 


E IUNIFPEC 


Complete Visibility 


Out of the box reporting for ANSSI and GDPR 


Assessment for Out-of-band Configurations 


Expanded UDC Support 
Cloud Agent Support for OS UDCs 
Database UDC 
Windows File Content 
Command-based UDCs 


Auto-remediation for configuration drifts 
(roadmap) 
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New PC Dashboard % UI 


Database User Defined Controls (UDC) 


© Oualys. Enterprise 
Initial Support: MSSQL, = 
Ce Mongebe pe ee RM 
Define DB Query (read B ere 
O n | y) ; C U S E Q Ba | Za b | a b V D B Accounts not logged in in last 90 days should be expired 
Version . 
Se = query to return tabular SELECT UserlD, UserName, Role, LastLogin, AccountEnabled from UserTable 
data to evaluate (which can 
include evidence) TN 
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Define Pass/Fail Criterias 
Technology 


Microsoft SQL Server 2008 


Enabled v Boolean * 


Evaluation Criteria Matches Column Criteria 


Any Row v Matches LastLogin 7 DateTime v 


C] > 
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What They will see in 2019 


Unified Compliance Assessment through Security Metrics 


Mapping of Data Queries from Qualys 
Apps to Security Metrics 


Mapping of 'Security Metrics' to 
Compliance requirements like ANSII, 
GDPR 


Result: Single Pane of Glass for 
Reporting Security & Compliance 
Metrics 


Security Metric Examples 
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Vulnerability Management DASHBOARD SEARCH SCANS REPORTS ASSETS KNOWLEDGEBASE USER g-frame-standard (123) 


High Severity Vulnerabilities/ Reports 
Patching 


FIM Incident Review Expired Zu 1 


@ | © U d S e E U r | BU & © n f | g U ľa t | (6) N Vulnerability Management - Vulnerabilities with RA-5 371248 HPE Intelligent Management Center (IMC) MNE 120 
SEVERITY CVSS rating 7 or more Multiple Vulnerabilities (HPESBHFO37... 
| S S u e S Severity 5 47 
PENES = Vulnerability Management - Java Vulnerabilities — RA-5 371090 Java Debug Wire Protocol Remote Code EE 132 
Sene i 7s Execution Vulnerability 
Severity 2 44 
. . Severity 1 32 
E x D | li e A O [É S e | i S | Q N e e Vulnerability Management - Java Vulnerabilities — RA-5 371265 Oracle Java SE Critical Patch Update - mmgmgEB 508 
October 2018 
U e FE | f | e a t e S Vulnerability Management - End of Life RA-5 370573 EOL/Obsolete Software: Apache Struts 1 NEEM 70 
technologies Detected 
V en a of R IS k 2 F al | e © Vulnerability Management - End of Life RAS 105759  EOL/Obsolete Software: Microsoft Visual  NIBINI 76 
technologies Studio 2008 Detected 
D |f O [S e S S e S Vulnerability Management - End of Life RA-5 105757 EOL/Obsolete Software: pfSense Version EEEE 44 
technologies 2.2.x Detected 
P h Vulnerability Management - End of Life RA-5 105753 EOL/Obsolete Operating System: Microsoft MINIM 350 
a S S W O If S if e N Q technologies Windows 10 Version 1607 Detected 
Vulnerability Management - Java Vulnerabilities RA-5 22002 Oracle Database Server Java VM Remote Hana 55 
Code Execution Vulnerability 
Vulnerability Management - Java Vulnerabilities — RA-5 371035 Apache Cassandra Arbitrary Java Code Tama 20 
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Assess ALL your assets against CIS 
With Qualys Security Configuration Assessment 


Security Configuration Assessment —— sa 


Dashboard Policies Reports Assets 


Lightweight add-on to VM 
Broad platform coverage 
Accurate controls & content E: MM 
Simple assessment workflow —— : gor 
Sean remotely Greve agent zum Mes bc nan 
Powered by the Qualys Cloud ——M— 


es rfe —————— 
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Out-of-band Configuration 
Assessment (OCA) 


Make your Inaccessible, Sensitive Assets visible to your 
Vulnerability and Compliance Program 


Francois BEZARD 
Technical Account Manager, Post Sales 


Use case: TWO of the biggest Banks 


Disconnected/lnaccessible systems to be a part of overall 
Vulnerability, Risk and Compliance program 


Sensitive Systems/Regulated Devices 


Legacy Systems 


Highly locked down systems 


Network Appliances 


Current Options: 


Manual - screenshots, Ad-hoc scripts 
Limited software-based support 


Juniper Junos 


> NetApp Data ONTAP 


Sonicwaiil Sonicos 
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Introducing 


Out-of-Band Configuration Assessment 
(OCA). add-on to VM/PC 


Use/create your scripts to e. čaj 


collect and push the data 


Support Tor Inventory, 
Policy Compliance and EE | 
Vulnerability Assessment 1] —— ccIT NAN 


Severity 
Severity 4 


US-Headguarters 


Platform creates snapshot eg — — — .... ! 
and signatures work on this d — 
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Configuration Upload Workflow 


(API/UI) 


Push the Asset data 
Upload Configuration Data 


Qualys creates agent-based 
data snapshot 


Report Generation 


» ASSET PROVISIONING 


POST 
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} 


1 
J 


v http://{{base_url}}/oca/v1.0/asset 


code": 200 
data": ( 
"items": [ 
"version", 
"tsclockserver", 
"configshow -all", 
"syslogdipshow" 
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POST 


SSSS 


http://((base url))/oca/v1.0/asset/03df1879-458c-495d-873d-7ab2daa34045/command/output/((type)) 


Body e 


VALUE 


| Choose Files | No file chosen 


DESCRIPTION 
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Technology Support 


VO.9 and v1.O release 
December - 2018 


FireEye Appliances 

BiglP F5 

Brocade DCX Switch 

Acme Packet Net 

Imperva Firewall 

Cisco Wireless Lan Controller 7 
Cisco UCS Server 

NetApp OnTap 

Juniper IVE 


Future Priorities 


AS 400 

Cisco Meraki 

Sonic Firewall 

Fortinet Firewalls 
Aruba WLC 

Dell EMC Data Domain 
Oracle Tape Library 
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Availability & Roadmap 


December 2018 February 2019 
v.0.9 release for limited customers Extend Support to VM 
API-based Asset and Config Data Support OCA for AS400 
© © e © 
January 2018 1H 2019 
Possible SDK route 
UI-based Data Upload for PC Expand Platform Coverage 
Bulk asset data upload (CSV) CMDB Integration 


Integration with AssetView FIM Integration 
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File Integrity Monitoring 


Log and track file changes across global IT 
systems. 


Francois BEZARD 
Technical Account Manager, Post Sales 


Validating Integrity 


Why do organizations need File 
Integrity Monitoring solutions? 


Change control enforcement 
Compliance & audit requirements 
Explicit mandates like PCI 
Security best practices 
Compromise detection 
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Gualys File Integrity Monitoring iud 


Heal-time detection - 


73 


Built on the Qualys Cloud Agent ESL 
Easy to install, configure and I elt 
manage = Eum. == 
No expensive infrastructure to -— 
deploy — 
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Use Case: 
File Integrity Monitoring for PCI 


Customer: Retail 
Distributed network environment that benefits from cloud-based model 
20k+ Windows systems 
Large Linux back end infrastructure on-prem and in the cloud 


Goals 
Monitor for change control enforcement 
PCI auditor reguirements 


Reguires 
Scalable, cloud-based solution 
Hands-off management of distributed agents 
VM+PC+FIM at the Point of Sale 
Broad Linux platform support 
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FIM Challenges 


Deciding what depth to monitor 
Tuning out noise, but not missing important events 
Scalability of legacy solutions 


Meeting auditor event review requirements 
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What Are Customers Monitoring? 


Critical Operating System Binaries 
OS and Application Configuration Files — |" 
Content, such as Web source 


Permissions (such as on Database Stores) 


security Data (Logs, Folder Audit E er = gue 
Settings) cx prm min 


User & Authentication Configurations ln —— — 
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Focus for 2019 


Simplest tuning in the industry! 


Secondary Event Filtering and Automated 
Correlation 


API access to data 

Rule-based Alerting 

Reporting 

Expanded data collection & whitelisting 
features 

Expanded Platform Support 
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File Integrity Monitoring 


FIM Feature Roadmap 


G4 2018 Q1 2019 
1.9 = 
Incident Management UI & Workflow 


Agent Health UI Improvements 
Tune from Event View 
Initial Reporting - Change Incident Report 
Monitoring Profile Editor Phase II 


Show 
Improvements 


Library Improvements 
FIM Mgmt API features 
External Change Control Integration 


Late Q4 2018/Early Q1 2019 Q2 2019 
1.10 2.2 
Incident List API Process Whitelisting 
Incident-Event List API Dashboard Expansion % 
Event Guery API AssetView Integration 


Management Queries API 


2.0 

Automated Incident Correlation 
Expand Reporting 

Basic Notification 


Q3 2019 
2.3 


File Text Change Details 


Windows Registry Change Detection 
Monitoring Profile Import/Export 
Streaming Event AP 
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Security Assessment 
Questionnaire 


Compliment your Technical security program» 
with the Assessment of Procedural Controls & 
Vendor Risk 


Francois BEZARD 
Technical Account Manager, Post Sales 


Assess Procedural Controls with 
Security Assessment Questionnaire 


Cloud-Based Questionnaires 
Visually design questionnaires 


Assign assessment leveraging 
embedded workflow 


Intuitive response 
Track using an operational dashboard 


Heview answers and evidences 
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One of the biggest Financial Institutions 


Assesses their Internal Procedural 
and Process controls 


Need to comply with number of Took 2 hours to rebuild Excel 
International and regional mandates/ based 76 question assessment 
standards. using web-based UI and Out- 


of-box Rich content 


They understand >50% compliance Dashboards the process 
requirements are related to i deficiencies and risk posed by 
assessing processes and procedures Internal controls failure 


Important that Respondents find 
it easy and make the collected 
data actionable 


Consolidates the Internal 
procedural control posture 
with Technical compliance 
controls 
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New-age Vendor Assessment 
Challenges 


Extend the Perimeter to include vendors 
- security & vulnerability data collection 


BREACH ORIGIN 


Direct Third 
Breach Parties 
3076 
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SOURCE OF FINANCIAL REPUTATIONAL 
ATTACK IMPACT IMPACT 


$200 million 
in costs (to date, 


Vendor Profiling based on the services, quem 
y. . Da 
Vendor Assessment based on criticality Ni. rm 


Google | & 


d $2-3 billion 
ges 


d $3 billion 
ges 


YAHOO! 


NINNNNIS 


Vendor control data aggregation with 
Internal security and compliance data 


E -Mobile | for 


Automated workflow, operational 
dashboards 


© Qualys. 


One of the biggest pharmaceutical companies 
Assessing their vendor risk through 
SAQ 


Vendors Profiling — Defines Assesses vendors per their 

Criticality based on Service risk profile, in a 

areas/Cybersecurity domains standardized (SIG) manner 
N » Uses out-of-the-box Dashboards the risk posed 

2» s content, including regional by the highly critical 
mandates vendors and ranks them 
per risk 
Easy online workflow for the Consolidates the vendor 


control posture with Internal 
procedural & technical 


vendors, receives reminders, 
alerts and status ; 
z compliance controls 
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Rich Template Library 


Industry 


PCIDSS SAQA, B, C, D 
T for SOX 

GLBA 

BASEL 3 (IT) 

HIPAA 

HITRUST 

NERC CIP v5 

SWIFT 

NERC CIP 


Popular Standards 


SO 27001-2013 ISMS 
IST CSF 

COBIT 5 

FedRAMP 

COSO 

TIL 

CIS TOP 20 Controls 


Shared Assessment 
(SIG) *- vendor 
assessment 


G 
A 


Regional 


DPR 
bu Dhabi Info Sec 


Standards 


A 


S 
U 


SSI (France) 
AS IBTRM (Singapore) 


BSP (Philippines) 
BSI Germany 


M CAustralia) 
Data Protection 


R 


BI Guidelines (India) 


California Privacy** 


Canada Data Protection 
2018** 


Technical Services 


CSA CAIQ v3.0.1 

CSA CCM v3.0.1 

Vendor Security for 
Hosting Service Provider 
AWS ** 

Procedural controls for 
cloud, containers** 
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Security Assessment Questionnaire 


SAQ Roadmap 


Q3 2018 


User/Role/Privilege Management 
Question Bank 
Create template from 
library templates 
New campaign UI 
Risk scoring 


Q4 2018 


SAQ Lite - for PCI users 


Q1 2019 


Vendor-driven workflows to cater to customers 
- Create answer bank, 
- Upload customer required templates 
- Match on Keywords 
Metrics, Dashboards on risk posed to my customers 


Vendor Risk Management workflows 


- Vendor Onboarding, Profiling 


- Automated assessment based on Vendor 


profiles/onboarding 


- Compare vendors based on risk scores 
- Dashboards on total Vendor risk/ 


Trending/Top 5 risky vendors 


* Roadmap items are future looking; timing and 
specifications may change 
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In the world where everyone is a vendor of someone 
SAQ Feature coming up in Q1: Answer bank 

Technology company wants to understand Risk posed to the 
customers 


Q 


Receives 100s of questionnaires 
from their customers and 
answers them offline, through 
spread-sheets 


Want to understand What risk 
they pose to their critical 
customers 


E 


| | ta Want to understand the top 

Costly & resource-intensive Cas failing, passing cybersecurity 
(a) to respond and gains no i areas/ answers to improve 
— visibility Into risk intelligence their own internal controls 


Wants to drive the vendor-management project 
to showcase their good security practices and use 
the data for contract negotiation 
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Security Assessment Questionnaire 
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